`571-272-7822
`
`
`
`
`
`
`
`
`
`
`
`
`
` Paper No. 11
`Filed: April 3, 2018
`
`
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`____________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`____________
`
`CISCO SYSTEMS, INC.,
`Petitioner,
`
`v.
`
`FINJAN, INC.,
`Patent Owner.
`____________
`
`Case IPR2017-02155
`Patent 8,677,494 B2
`____________
`
`
`Before ZHENYU YANG, CHARLES J. BOUDREAU, and
`SHEILA F. McSHANE, Administrative Patent Judges.
`
`BOUDREAU, Administrative Patent Judge.
`
`
`
`
`DECISION
`Denying Institution of Inter Partes Review
`37 C.F.R. § 42.108
`
`
`
`
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`
`I. INTRODUCTION
`Cisco Systems, Inc. (“Petitioner”) filed a Petition (Paper 1, “Pet.”)
`requesting inter partes review of claims 10, 11, and 14–16 of U.S. Patent
`No. 8,677,494 B2 (Ex. 1001, “the ’494 patent”). Pet. 1. Finjan, Inc.
`(“Patent Owner”) filed a Preliminary Response. Paper 6 (“Prelim. Resp.”).
`With authorization from the Board, Petitioner additionally filed a Reply to
`Patent Owner’s Preliminary Response (Paper 8, “Reply”), to address Patent
`Owner’s arguments concerning application of the Board’s decision in
`General Plastic Industrial Co. v. Canon Kabushiki Kaisha, Case
`IPR2016-01357 (PTAB Sept. 6, 2017) (Paper 19), which was designated as
`a precedential decision after the filing of the Petition; and Patent Owner filed
`a Corrected Sur-reply (Paper 10, “Sur-reply”).
`We review the Petition under 35 U.S.C. § 314, which provides that an
`inter partes review may not be instituted “unless . . . there is a reasonable
`likelihood that the petitioner would prevail with respect to at least 1 of the
`claims challenged in the petition.” 35 U.S.C. § 314(a). For the reasons that
`follow and on this record, we are not persuaded that Petitioner demonstrates
`a reasonable likelihood of prevailing in showing the unpatentability of any
`of the challenged claims on the asserted grounds. Accordingly, we deny
`Petitioner’s request to institute an inter partes review.
`
`A. Related Proceedings
`The parties report that the ’494 patent is the subject of several district
`court actions, including Finjan, Inc. v. Cisco Systems, Inc., 5:17-cv-00072
`(N.D. Cal. 2017). Pet. 4–5; Paper 4, 1.
`
` 2
`
`
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`
`Certain claims of the ’494 patent were challenged previously in
`petitions for inter partes review filed by Sophos, Inc. (Case
`IPR2015-01022), Symantec Corp. (Cases IPR2015-01892 and
`IPR2015-01897), Palo Alto Networks, Inc. (Case IPR2016-00159), and Blue
`Coat Systems, Inc. (Cases IPR2016-00890, IPR2016-01174, and
`IPR2016-01443). We denied the petitions in IPR2015-01022 on Sept. 24,
`2015, IPR2015-01897 on February 26, 2016, and IPR2016-01443 on
`January 23, 2017. We instituted a trial in IPR2015-01892, to which we later
`joined Blue Coat as a petitioner on a motion for joinder filed in
`IPR2016-00890, and we issued a final written decision on March 15, 2017.
`We also instituted a trial in IPR2016-00159, to which we also later joined
`Blue Coat as a petitioner on a motion for joinder filed in IPR2016-01174,
`and we issued a final written decision on April 11, 2017. Both final written
`decisions are currently on appeal to the U.S. Court of Appeals for the
`Federal Circuit, in Appeal Nos. 17-2034 and 17-2543, respectively.
`In addition to the instant Petition, Petitioner also has filed a petition
`seeking inter partes review of related U.S. Patent No. 6,154,844, which also
`is involved in the above-referenced Finjan, Inc. v. Cisco Systems, Inc.
`district court action. IPR2017-02154, Paper 1.
`
`B. The ’494 Patent
`The ’494 patent describes protection systems and methods “capable of
`protecting a personal computer (‘PC’) or other persistently or even
`intermittently network accessible devices or processes from harmful,
`
` 3
`
`
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`undesirable, suspicious or other ‘malicious’ operations that might otherwise
`be effectuated by remotely operable code.” Ex. 1001, 2:51–56. “[R]emotely
`operable code that is protectable against can include,” for example,
`“downloadable application programs, Trojan horses and program code
`groupings, as well as software ‘components’, such as Java™ applets,
`ActiveX™ controls, JavaScript™/Visual Basic scripts, add-ins, etc., among
`others.” Id. at 2:59–64.
`
`C. Illustrative Claim
`Of the challenged claims, only claim 10, reproduced below, is
`independent.
`10. A system for managing Downloadables, comprising:
`a receiver for receiving an incoming Downloadable;
`a Downloadable scanner coupled with said receiver, for
`deriving security profile data for the Downloadable, including a
`list of suspicious computer operations that may be attempted by
`the Downloadable; and
`a database manager coupled with said Downloadable scanner,
`for storing the Downloadable security profile data in a database.
`
`Ex. 1001, 22:7–16.
`
` 4
`
`
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`
`D. Asserted Grounds of Unpatentability
`Petitioner asserts the following grounds of unpatentability:
`
`Claims
`10, 11, 14–16
`
`10, 11, 14–16
`
`Basis
`§ 103
`
`References
`Shear1 and Kerchen2
`
`§ 103 Crawford 913 and the knowledge of
`a person of ordinary skill in the art
`
`
`Pet. 24. Petitioner also relies on a Declaration of Dr. Paul Clark, filed as
`Exhibit 1003.
`
`II. DISCUSSION
`A. Claim Construction
`Based on the ’494 patent’s claim of priority from U.S. Patent
`Application No. 08/790,097, filed January 29, 1997, the ’494 patent expired
`no later than January 29, 2017. See 35 U.S.C. § 154(a)(2). In an inter
`partes review, we construe claims of an expired patent according to the
`standard applied by the district courts. See In re Rambus Inc., 694 F.3d 42,
`46 (Fed. Cir. 2012). Specifically, we apply the principles set forth in
`Phillips v. AWH Corp., 415 F.3d 1303, 1312–17 (Fed. Cir. 2005) (en banc).
`
`
`1 US 6,157,721, issued Dec. 5, 2000 (filed Aug. 12, 1996) (Ex. 1004).
`2 Paul Kerchen et al., Static Analysis Virus Detection Tools for UNIX
`Systems, Proc. 13th Nat’l Computer Security Conf. 350 (1990) (Ex. 1019).
`3 R. Crawford et al., A Testbed for Malicious Code Detection: A Synthesis of
`Static and Dynamic Analysis Techniques, Proc. 14th Ann. Conf. Dep’t
`Energy Computer Security Group (1991) (Ex. 1011).
`
` 5
`
`
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`Under that standard, the words of a claim are generally given their “ordinary
`and customary meaning,” which is the meaning the term would have to a
`person of ordinary skill at the time of the invention, in the context of the
`entire patent including the specification. See Phillips, 415 F.3d at 1312–13.
`Only those terms in controversy need to be construed, and only to the extent
`necessary to resolve the controversy. See Vivid Techs., Inc. v. Am. Sci. &
`Eng’g, Inc., 200 F.3d 795, 803 (Fed. Cir. 1999).
`Petitioner contends that each of the claim terms in the challenged
`claims should be given its plain and ordinary meaning and that no specific
`construction of any term is required. Pet. 11. Petitioner nonetheless
`addresses the phrase “a list of suspicious computer operations,” as recited in
`independent claim 10, “in light of arguments that Patent Owner has made in
`previous proceedings.” Id. Patent Owner responds to Petitioner’s
`arguments concerning this phrase and additionally proposes that the term
`“database,” which also is recited in independent claim 10, should be
`construed. Prelim. Resp. 4–11.
`
`1. “a list of suspicious computer operations”
`Petitioner contends, in particular, that although neither the previous
`petitioners nor Patent Owner explicitly sought a construction of the phrase
`“a list of suspicious computer operations” in prior inter partes review
`proceedings, Patent Owner “implicitly sought a narrow claim construction in
`[IPR2015-01894] . . . by arguing that this element . . . excludes the
`identification of non-suspicious operations, code or functions in the DSP.”
`
` 6
`
`
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`Pet. 11. Petitioner points out that the Board determined in that earlier case
`that no terms required express construction and contends that, “[c]onsistent
`with [the IPR2015-01894] decision, there is no support for Patent Owner’s
`attempt to limit this claim term such that the DSP lists only suspicious
`operations.” Id. at 11–12 (citing IPR2015-01894, slip op. at 9 (PTAB
`Mar. 11, 2016) (Paper 7)). Petitioner further contends, “[t]he claims are
`written with the transitional phrase ‘comprising’ which is well recognized in
`patent practice to mean ‘including but not limited to,’ making improper the
`restrictive construction of ‘only.’” Id. at 12.
`Patent Owner responds that, under the Phillips standard, a “list of
`suspicious operations” means “a list of computer operations deemed
`suspicious.” Prelim. Resp. 5. Patent Owner recognizes, however, that the
`Board in the final written decisions in both IPR2015-01892 and
`IPR2016-00159 rejected that construction and determined that the correct
`construction of this phrase is “a list of all operations that could ever be
`deemed potentially hostile,” based on disclosure in the specification of the
`U.S. Patent No. 6,092,194, incorporated by reference in the ’494 patent, that
`“[t]he code scanner 325 may generate the DSP data 310 as a list of all
`operations in the Downloadable code which could ever be deemed
`potentially hostile and a list of all files to be accessed by the Downloadable
`code. . . .” Id. at 6–7 (quoting IPR2016-01892, slip op. at 11 (PTAB
`Mar. 15, 2017) (Paper 58) (quoting ’194 patent, 5:50–54)). Patent Owner
`asserts that the Board’s construction in those cases was erroneous, alleging,
`inter alia, that “every computer operation the Downloadable may attempt
`
` 7
`
`
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`would be on such a list” and that “the embodiments of the ’494 Patent
`describing deriving ‘a list of suspicious computer operations[’] by
`‘determin[ing] whether the resolved command is suspicious’ would not
`result in the claimed ‘list . . . .’” Id. at 7–10.
`We disagree with Patent Owner’s contentions that the Board’s
`construction in IPR2015-01892 and IPR2016-00159 was erroneous and that
`such construction would exclude a preferred embodiment of the ’494 patent.
`See id. Regardless, because our determination not to institute trial in this
`proceeding does not depend on the construction of “a list of suspicious
`operations,” we conclude that there is no need to construe that phrase for
`purposes of this Decision. See Vivid Techs., Inc., 200 F.3d at 803.
`
`2. “database”
`Patent Owner contends that the term “database” means “a collection
`of interrelated data organized according to a database schema to serve one or
`more applications.” Prelim. Resp. 11. Patent Owner argues that this
`construction has been applied by every panel of the Board that has
`considered this term with respect to the ’494 patent and related patents, as
`well as the district court in Finjan, Inc. v. Sophos, Inc., No. 14-cv-01197
`(N.D. Cal. 2014), and has been agreed to by “numerous [p]etitioners
`considering this term in the context of the ’494 Patent and patents related
`thereto.” Id. (citations omitted).
`On this record and for purposes of this Decision, we adopt Patent
`Owner’s proposed construction. As Patent Owner points out (id.), this
`
` 8
`
`
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`construction was applied by the Board in prior proceedings, and it also has
`been adopted by the U.S. District Court for the Northern District of
`California in litigation involving the ’494 patent. See, e.g., Finjan, Inc. v.
`Sophos, Inc., No. 14-cv-01197 (Dkt. No. 73 (Claim Construction Order), 3–
`7) (N.D. Cal. Mar. 2, 2015) (Ex. 2001, 3–7); Symantec Corp. v. Finjan, Inc.,
`Case IPR2015-01892, slip op. at 16 (PTAB March 15, 2017) (Paper 58)
`(Ex. 2007); Palo Alto Networks, Inc. v. Finjan, Inc., Case IPR2016-00159,
`slip op. at 12 (PTAB Apr. 11, 2017) (Paper 50) (Ex. 2008); Sophos, Inc. v.
`Finjan, Inc., Case IPR2015-01022, slip op. at 9–10 (PTAB Jan. 28, 2016)
`(Paper 9) (Ex. 2009); Sophos, Inc. v. Finjan, Inc., Case IPR2015-00907, slip
`op. at 8–10 (PTAB Sept. 24, 2015) (Paper 8). We discern no reason to
`deviate from those previous determinations here.
`
`B. Discussion of Asserted Grounds
`3. Principles of Law
`A patent claim is unpatentable under 35 U.S.C. § 103(a) if the
`differences between the claimed subject matter and the prior art are “such
`that the subject matter as a whole would have been obvious at the time the
`invention was made to a person having ordinary skill in the art to which said
`subject matter pertains.” KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406
`(2007). The question of obviousness is resolved on the basis of underlying
`factual determinations, including (1) the scope and content of the prior art;
`(2) any differences between the claimed subject matter and the prior art;
`
` 9
`
`
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`(3) the level of skill in the art;4 and (4) objective evidence of
`nonobviousness, i.e., secondary considerations.5 Graham v. John Deere
`Co., 383 U.S. 1, 17–18 (1966). “To satisfy its burden of proving
`obviousness, a petitioner cannot employ mere conclusory statements. The
`petitioner must instead articulate specific reasoning, based on evidence of
`record, to support the legal conclusion of obviousness.” In re Magnum Oil
`Tools Int’l, Ltd., 829 F.3d 1364, 1380 (Fed. Cir. 2016). We analyze the
`asserted grounds with the principles stated above in mind.
`
`4. Obviousness over Shear and Kerchen
`a. Overview of Shear
`Shear, titled “Systems and Methods Using Cryptography to Protect
`Secure Computing Environments,” is directed to protection of “[s]ecure
`computation environments” from “bogus or rogue load modules, executables
`and other data elements through use of digital signatures, seals and
`certificates issued by a verifying authority.” Ex. 1004, [54], [57]. Shear
`describes various harmful computer programs and other computer security
`risks, including “Trojan horses” such as computer viruses, and discloses that
`
`
`4 Relying on the testimony of Dr. Clark, Petitioner proposes a definition of a
`person of ordinary skill in the art of the ’494 patent in the November 1996
`timeframe. Pet. 12–13 (citing Ex. 1003 ¶ 22). Patent Owner does not
`challenge this definition. For purposes of this Decision and to the extent
`necessary, we adopt Petitioner’s definition.
`5 Patent Owner does not contend in its Preliminary Response that any such
`secondary considerations are present.
`
`
`10
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`“[c]omputer security risks of all sorts—including the risks from computer
`viruses—have increased dramatically as computers have become
`increasingly connected to one another over the Internet and by other means.”
`Id. at 1:56–2:14. Shear further discloses that “[c]omputer viruses are by no
`means the only computer security risk made even more significant by
`increased computer connectivity,” pointing out that the “download and
`execute” capability of the Java computer language, which “allow[s]
`computers to interactively and dynamically download computer program
`code fragments (called ‘applets’) over an electronic network such as the
`internet, and execute the downloaded code fragments locally,” not only “has
`great potential,” but also “raises significant computer security concerns.” Id.
`at 2:27–46.
`In view of such risks, Shear purports to provide “improved techniques
`for protecting secure computation and/or execution spaces . . . from
`unauthorized (and potentially harmful) load modules or other ‘executables’
`or associated data.” Id. at 4:51–56. According to Shear, “[i]n accordance
`with one aspect provided by the present invention, one or more trusted
`verifying authorities validate load modules or other executables by analyzing
`and/or testing them.” Id. at 4:61–64. A verifying authority then “digitally
`‘signs’ and ‘certifies’ those load modules or other executables it has
`verified.” Id. at 4:64–66. Shear explains that protected processing
`environments and other protected execution spaces “can be programmed or
`otherwise conditioned to accept only those load modules or other
`executables bearing a digital signature/certificate of an accredited (or
`
`11
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`particular) verifying authority”; that “[t]amper resistant barriers may be used
`to protect this programming or other conditioning”; and that “[a] web of
`trust may stand behind a verifying authority” and “prevent[] value chain
`participants from conspiring to defraud other value chain participants.” Id.
`at 5:1–25.
`“In accordance with another aspect,” Shear discloses, “each load
`module or other executable has specifications associated with it describing
`the executable, its operations, content, and functions.” Id. at 5:26–29.
`According to Shear,
`A verifying authority analyzes, validates, verifies,
`inspects, and/or tests the load module or other executable, and
`compares its results with the specifications associated with the
`load module or other executable. A verifying authority may
`digitally sign or certify only those load modules or other
`executables having proper specifications and may include the
`specifications as part of the material being signed or certified.
`A verifying authority may instead, or in addition,
`selectively be given the responsibility for analyzing the load
`module and generating a specification for it. Such a specification
`could be reviewed by the load module’s originator and/or any
`potential users of the load module.
`A verifying authority may selectively be given the
`authority to generate an additional specification for the load
`module, for example by translating a formal mathematical
`specification to other kinds of specifications. . . .
`Additionally, a verifying authority may selectively be
`empowered to modify the specifications to make it accurate—
`but may refuse to sign or certify load modules or other
`executables that are harmful or dangerous irrespective of the
`accuracy of their associated specifications. The specifications
`
`
`12
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`
`may in some instances be viewable by ultimate users or other
`value chain participants . . . .
`In accordance with another aspect provided by the present
`invention, an execution environment protects
`itself by
`deciding—based on digital signatures, for example—which load
`modules or other executables it is willing to execute. A digital
`signature allows the execution environment to test both the
`authenticity and the integrity of the load module or other
`executables, as well permitting a user of such executables to
`determine their correctness with respect to their associated
`specifications or other description of their behavior, if such
`descriptions are included in the verification process.
`Id. at 5:40–6:15.
`
`b. Overview of Kerchen
`Kerchen is an article directed to the analysis of computer programs to
`identify suspicious code before the code is installed on a user’s computer.
`Ex. 1019, 350. Kerchen discloses two “heuristic tools” for detecting
`computer viruses, referred to as a “detector” tool and a “filter” tool. Id.
`at 350–63.
`The detector tool examines a computer program to determine if it
`contains any duplicate calls to operating system services. Id. at 351.
`According to Kerchen, “duplicated calls might be . . . indicative of a virus
`that has linked itself to the program.” Id. Kerchen discloses that the
`detector tool first disassembles the computer program being examined and
`then finds all instances of code that perform some operating system service.
`Id. If two different pieces of code are found to include the same service
`calls, this condition is flagged. Id. at 351–52.
`
`13
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`
`The filter tool is designed to analyze an executable computer program
`to identify “the files that the program could write to.” Id. at 354. Using this
`methodology, the filter first identifies “all open calls in the program” and
`then “enumerate[s] the possible filename arguments to these calls.” Id.
`at 354–55. “Upon being presented with the names of files that the program
`could write, the user could determine if the program is suspicious.” Id.
`at 355. In summary, according to Kerchen, the “filter tries to determine the
`names of all files which might be modified by the program,” and “[b]y
`comparing the enumeration of names and the specified restriction, the virus
`filter can claim the program is safe or is suspicious.” Id. at 356.
`
`c. Analysis
`Petitioner contends that Shear discloses the preamble and the
`“receiver for receiving an incoming Downloadable” recited in independent
`claim 10. Pet. 37–39 (citing Ex. 1003 ¶¶ 100–103). In particular, Petitioner
`maps Shear’s verifying authority to the recited “receiver” and Shear’s load
`module to the recited “incoming Downloadable.” Id. at 38 (citing Ex. 1004,
`9:45–48, Fig. 2; Ex. 1003 ¶ 101).
`Petitioner relies on Shear in combination with Kerchen as disclosing
`“a Downloadable scanner coupled with said receiver, for deriving security
`profile data for the Downloadable,” as recited in claim 10. Id. at 39–43
`(citing Ex. 1003 ¶¶ 105–110). Petitioner contends, in particular, that Shear’s
`“specification ‘describing the executable, its operations, content, and
`functions’” corresponds to the recited “security profile data,” and that Shear
`
`
`14
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`discloses that its verification authority—corresponding to the recited
`receiver—“can generate, add to, or modify these specifications.” Id. at 39–
`40 (citing Ex. 1004, 5:26–29, 5:48–50, 5:53–55, 5:61–63; Ex. 1003 ¶ 105).
`Petitioner further contends that “[t]o ensure ‘the specifications are both
`accurate and complete,’ Shear discloses that the verifying authority
`(receiver) uses software tools in order to determine whether the load
`executable is a virus or includes detectable bugs or other harmful
`functionality (suspicious operations).” Id. at 40–41 (citing Ex. 1003 ¶ 106;
`Ex. 1004, 10:12–22). According to Petitioner, “Shear describes that the
`verifying authority uses known tools to inspect the code and known
`techniques to test the load module in the preparation/verification of the
`specification” and a person of ordinary skill in the art (“POSA”) “would
`understand that Shear’s reference to the use of known tools would include a
`conventional scanner.” Id. at 41 (citing Ex. 1004, 10:12–31; Ex. 1003
`¶ 107).
`Further, Petitioner contends, “[t]o the extent Patent Owner argues that
`Shear does not sufficiently disclose a scanner to a POSA, Kerchen discloses
`that the detector tool scans a computer program (a Downloadable scanner)
`to determine if it contains any duplicate instances of operating system
`service calls (such as file operations like read and write), which would be
`flagged as suspicious code,” and “[i]t would have been obvious to combine
`the detector . . . of Kerchen with Shear.” Id. at 42 (citing Ex. 1019, 351;
`Ex. 1003 ¶ 108). More particularly, “[i]t would be obvious to a POSA to
`combine the detector disclosed in Kerchen with the verifying authority in
`
`15
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`Shear that receives the executable in order to use a conventional technique
`for examining code to identify suspicious code,” “consistent with the mere
`reference to ‘conventional’ scanning techniques in the ’494 Patent . . . .” Id.
`at 43 (citing Ex. 1003 ¶ 109).
`Regarding the requirement in claim 10 that the security profile data
`“includ[es] a list of suspicious computer operations that may be attempted
`by the Downloadable,” Petitioner contends that “[a] POSA would have
`understood that both the code and the operations contained or performed in
`the executable are analyzed in Shear and would be identified in Shear’s
`specification, including well-known operations such as ‘read’, ‘write’,
`‘rename’, ‘delete’, ‘open’ etc.,” and that “[a] POSA also would have
`understood that these operations . . . may be considered to have harmful
`functionality and would be identified as suspicious so that appropriate action
`can be taken.” Id. at 43–44 (citing Ex. 1003 ¶ 111). Further, “[t]o the extent
`that the Patent Owner argues that Shear does not sufficiently identify the
`operations that would be considered suspicious, Kerchen identifies how and
`why to analyze code to identify suspicious operations (as an example of ‘one
`or more computer-based software testing techniques and/or tools’ to be used
`with Shear).” Id. at 44 (citing Ex. 1004, 10:18–19; Ex. 1003 ¶ 113).
`Finally, regarding the recited “database manager coupled with said
`Downloadable scanner, for storing the Downloadable security profile data in
`a database,” Petitioner contends that “Shear discloses the specification 110
`includes data in a number of fields of information preferably in a data file,”
`and “[i]n view of a POSA, it is implicit in the Shear patent that the data file
`
`16
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`representing the specification 110 is stored in a ‘database.’” Id. at 45–46
`(citing Ex. 1003 ¶¶ 114, 116). According to Petitioner, Figure 4 of Shear
`illustrates that “the name of the load module, the author, and the functions
`are all included [in] the specification 110 in an organized structure,” and “[a]
`POSA would have understood the corresponding data file described by
`Shear would also be so structured.” Id. at 46. Further, Petitioner contends,
`“Shear incorporates by reference the entirety of Ginter et al,6 which
`explicitly discloses the use of a ‘database’ to store structured data.” Id.
`(citing Ex. 1:8–15; Ex. 1005, 12:21–13:10; Ex. 1003 ¶ 116). Through
`Ginter, Petitioner contends, “Shear . . . discloses that a ‘database
`manager 730 may then be used to organize, store, and retrieve the records,”
`and “the ‘database manager 730 may maintain the secure database 610.” Id.
`(citing Ex. 1005, 15:1–2, 11:14–18; Ex. 1003 ¶ 117). Moreover, “to the
`extent that Patent Owner argues that Shear does not sufficiently disclose that
`the specification is stored in a database, it would have been obvious to a
`POSA to modify Shear to store the generated specification in a database,
`consistent with the ’494 Patent specification’s admission that a database was
`a well-known, interchangeable store structure,” “(1) in order to preserve the
`structure nature of the data . . . [and] (2) [because] the use of databases was
`commonly used in virus detection technologies to store structured
`information derived from an analysis of the executable code as described in
`Kerchen.” Id. at 47–48 (citing Ex. 1003 ¶¶ 120–121). Petitioner concludes,
`
`6 U.S. Patent Application No. 08/388,107, filed Feb. 13, 1995 (Ex. 1005).
`
`17
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`“because Kerchen discloses that the output of its detector tool would be
`stored in a database, the combination of the teachings of Shear with the
`teachings of Kerchen discussed above . . . also results in satisfying the
`‘storing the Downloadable security profile data in a database’ limitation.”
`Id. at 48 (citing Ex. 1003 ¶ 121).
`Patent Owner responds that Shear in view of Kerchen fails to disclose
`either the recited “Downloadable scanner . . . for deriving Downloadable
`security profile data, . . . including a list of suspicious computer operations”
`or the recited “database manager . . . for storing Downloadable security
`profile data in a database.” Prelim. Resp. 30–44.
`First, according to Patent Owner, Petitioner’s argument that “Shear
`describes that the verifying authority uses known tools to inspect the code
`and known techniques to test the load module in the preparation/verification
`of the specification” is “based on an inaccurate reading of Shear because
`Petitioner conflates what is provided in the specification and what Shear’s
`‘verifying authority’ does with the specification and Downloadable after the
`specification is already generated.” Id. at 30 (quoting Pet. 41). Patent
`Owner contends that the portion of Shear quoted by Petitioner in support of
`its argument demonstrates that Shear’s “‘analyzing tool(s)’ are not used ‘in
`the preparation’ of the specification that Petitioner equates with the DSP, but
`rather to verify that a load module ‘performs as specified by its associated
`specifications.’” Id. at 31 (quoting Ex. 1003, 10:12–22). Thus, Patent
`Owner contends, “whether generated by the developer or at the verifying
`authority, there is no indication . . . Shear teaches a Downloadable scanner
`
`18
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`for deriving DSP data, including a list of suspicious computer operations
`that may be attempted by the Downloadable.” Id.
`Second, Patent Owner contends “Petitioner does not attempt to
`construe what the term Downloadable scanner encompasses or point to any
`disclosure in Shear that meets such a construction.” Id. Whereas “Petitioner
`conclusorily states a ‘POSA would understand that Shear’s reference to the
`use of known tools would include a conventional scanner,” Patent Owner
`argues, Petitioner does not “explain how these alleged ‘known tools’ used to
`verify the load module qualify as a ‘Downloadable scanner.’” Id. (quoting
`Pet. 41). Further, notwithstanding Petitioner’s assertion that “[t]he
`’494 patent acknowledges that scanners and the tools for deriving the data
`for the security profile were known in the art” (Pet. 41), Patent Owner
`contends that “[t]he ’494 Patent discloses that ‘code scanner 325 uses
`conventional parsing techniques to decompose the code,’ not that such a
`scanner or such techniques were known to be used in order to derive
`Downloadable security profile data for a Downloadable, let alone DSP data
`that includes a list of suspicious computer operations” (Prelim. Resp. 31–
`32).
`Third, Patent Owner contends, Shear does not state that its
`“specification” includes a list of suspicious computer operations that may be
`attempted by a Downloadable, but Shear’s specification instead “simply
`‘describ[es] the executable, its operations, content, and functions.’” Id. at 32
`(quoting Ex. 1004, 5:26–29). In response to Petitioner’s assertion that “[a]
`POSA would have understood that both the code and the operations
`
`19
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`contained or performed in the executable are analyzed in Shear and would
`be identified in Shear’s specification, including well-known operations such
`as ‘read,’ ‘write,’ ‘rename,’ ‘delete,’ ‘open,’ etc. (a list of suspicious
`computer operations that may be attempted by the Downloadable)”
`(Pet. 43), Patent Owner argues that Petitioner cites no evidence to support
`this assertion other than the declaration of Dr. Clark, which “merely repeats
`the same argument and is likewise devoid of citation to any evidence to
`support this point.” Prelim. Resp. 33–34 (citing Ex. 1003 ¶ 111). Further,
`Patent Owner contends, “[n]ot only does Shear not disclose that those
`operations [are] identified in its specification,” but “the inclusion of those
`operations in the specification [would] not mean that Shear’s specification
`includes a list of suspicious computer operations that may be attempted by
`the Downloadable.” Id. at 34.
`According to Patent Owner, “Kerchen also fails to cure the
`deficiencies of Shear at least because it also does not teach or suggest [a]
`downloadable scanner for deriving DSP data, including a list of suspicious
`computer operations that may be attempted by a Downloadable.” Id. While
`acknowledging that Kerchen states that its “approach involves the analysis
`of a program prior to installation, the analysis attempting to identify
`suspicious code,” Patent Owner argues that “the question to be resolved is
`not whether it was known in the prior art to identify suspicious code,” but
`instead “whether it was known to use a scanner to derive DSP data that
`includes a list of suspicious computer operations that may be attempted by a
`Downloadable and a database manager for storing the DSP data in a
`
`20
`
`
`
`
`
`
`IPR2017-02155
`Patent 8,677,494 B2
`
`database.” Id. at 35 (quoting Ex. 1019, 351). According to Patent Owner,
`Kerchen does not do so, b